Compared to the Android and iOS app stores, the Windows Store is still in its early stages of adoption, and its application development community has not been subjected to the same software security scrutiny as other app ecosystems. As Windows mobile sees increased enterprise use, however, ensuring applications are secure will be essential for avoiding a potentially high-profile gaffe, according to developer Bill Sempf, who presented at the recent Black Hat Europe conference. To harden Windows 8 apps for the Windows Store, programmers can increase their awareness of potential attack vectors and adopt security best practices such as the use of source code analysis software.
With its introduction of the new Windows Store, Microsoft also debuted a new SDK called WinRT, Sempf explained. WinRT has development hooks in HTML5, .NET and C++. Although having three platforms creates a larger attack surface, the Windows Store sandbox, which resembles that of other runtime applications, has been considerably hardened, making application security mostly a matter of information protection and securing underlying services.
WinRT features of note
There are several potential attack vectors that developers need to consider when working with WinRT, Sempf explained. Among these are the Live Connect Identity API, which allows apps to use Windows login information from other apps, the Capabilities interface, which allows developers to set which OS functions the app will use, remote and local storage controls and networking options. Capabilities are complemented by Declarations, which allow developers to set the type of access their app needs from the OS, the Corelan Team noted in a summary of Sempf’s talk. These are also important, as they can allow for backdoor access if poorly handled.
“Even if apps don’t know anything about each other, can still work together by setting them as a ‘share’ target,” the Corelan Team blog explained. “If you enable your app to be a ‘share’ target, you’d better provide the code to handle this properly.”
While poorly applied settings could expose developers to security issues, WinRT has several built in security controls, Sempf noted. Windows.Security provides built-in hashing and encryption APIs, OAuth standardizes authentication and unexpected behavior such as an XSS attack is designed to crash an app. Additionally, the Windows 8 kernel has been hardened to resist most contemporary malware designed to take advantage of it.
Best practices in WinRT
Sempf also recommended developers pay close attention to how they handle both local and remote storage and that they test their service layer. Setting capabilities to limit privileges to the essential functions is important, as programmers should minimize the number of touchpoints attackers could potentially use. In particular, applications should try to avoid using the Documents Library, Enterprise Authentication and Shared User Credentials capabilities, as these offer admin level access and are generally unnecessary.
In general, Sempf said, Microsoft was thorough in its security settings for WinRT, mitigating many of the errors developers might easily make. However, adopting precautions such as the use of source code analysis tools and code review can help further reduce the danger of poorly secured applications.
“[T]here is little protection for bad code,” Sempf wrote. “Building insecure apps will make life easier for the attackers, and using the ecosystem improperly will weaken the whole environment. Taking care to code securely, test and review configuration with the Good Ideas in mind will make for a quality experience for your users and all users.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.